Five Questions for Cisco Talos: Known hacker group targets structures in Ukraine

October 11, 2022

The Cisco Talos security team supports Ukrainian organisations in defending against cyber attacks. In the process, the researchers have come across a new malware campaign targeting government agencies, critical infrastructure operators and defence, security and law enforcement organisations in Ukraine. According to the security researchers, the pro-Russian hacker group Gamaredon is behind this campaign. Holger Unterbrink, Technical Leader of Cisco Talos in Germany, explains the background:

Holger Unterbrink, Technical Leader von Cisco Talos in Deutschland

How do the current malware attacks work?

“The campaign has been active since August 2022 and focuses on data theft and espionage. To gain long-term access to victim systems, the threat actors use prepared phishing documents. These pretend to contain information relating to the Russian invasion of Ukraine. However, they actually hide remote templates with malicious macros. Their job is to place malware on victims’ computers to then exfiltrate targeted information.”

What makes this method of attack particularly dangerous?

“In this case, the actors use a specially crafted “information stealer”. This is a malware with a dual scope. On the one hand, it is able to steal the file types that are particularly interesting for the attacker. Secondly, it can be used to place additional targeted payloads on infected computers.”

Talos recognises the signature of the hacker group Gamaredon in this attack. Why?

“We see great similarities in the tactics, techniques, malware and infrastructure used with attacks uncovered by CERT-UA, Ukraine’s Computer Emergency Response Team, and attributed to Gamaredon.”

What do we know about Gamaredon?

“The group is a threat actor that has been active since at least 2013 and has been consistently linked to pro-Russian activity over the years. Gamaredon is extremely aggressive, but does not usually draw attention to itself with high-profile campaigns. In our estimation, however, the group is on par with some of the most prolific crimeware gangs. Interestingly, their approach is not what one would expect from an advanced hacking group. Such groups, called “APT”, focus on targeted, high-impact activities that leave extremely little trace and are therefore difficult to detect. Gamaredon is the exact opposite of this. The group uses common tactics from the world of crimeware and is extremely “loud” for a threat actor. Gamaredon also lacks the sophisticated techniques we see in some advanced operations. However, it has an extremely broad infrastructure and controls more than 600 domains that it deploys at various points along the infection timeline.”

How dangerous is the group for German companies?

“Due to the group’s specific approach, this question is difficult to answer. So far, we see no signs that the group directly profits from the information of its victims. We therefore do not rule out the possibility that it acts as a service provider on behalf of other APT actors. And another peculiarity: In contrast to the usual approach of APTs, Gamaredon does not target a specific victim group, but instead targets users all over the world. This group targets everyone from banks in Africa to educational institutions in the US. And at the latest here, companies and institutions in Germany should also be on their guard.”

Details of the Talos security researchers’ findings can be found in these blog posts:
https://blog.talosintelligence.com/2021/02/gamaredonactivities.html
https://blog.talosintelligence.com/2022/09/gamaredon-apt-targets-ukrainian-agencies.html?m=1

Genetec

Related Articles

Belgium becomes football world champion, at least digitally

> The big digital check for the World Cup by nexum AG> Germany in 3rd place behind the Netherlands, but ahead of England, France and Spain In the next four weeks, the sporting world champion will be determined among the best football teams. But already today a winner...

Every fifth German open to e-prescription

Every fifth German open to e-prescription

Seniors over 65, however, are in favour of the completely analogue or predominantly analogue variantOne in five Germans would want to redeem a doctor's prescription exclusively digitally in future. Another 21 per cent would choose the digital option for the most part....

Stupid pupils cost the economy around 700 billion euros

Stupid pupils cost the economy around 700 billion euros

According to the ifo study, two-thirds of young people globally do not achieve basic skills Two-thirds of young people worldwide do not achieve basic skills that should be taught in school. This is according to a new study by the Ifo Institute (https://ifo.de). In...